Page MenuHomePhabricator

configure https for www.wikilovesmonuments.org
Closed, ResolvedPublic

Description

https://wikilovesmonuments.org/ currently provides only a certificates for *.wikimedia.nl, wikimedia.nl. It should provide a correct certificate and at least be as well configured regarding HTTPS as en.wikipedia.org.

Event Timeline

JanZerebecki raised the priority of this task from to Needs Triage.
JanZerebecki updated the task description. (Show Details)
JanZerebecki added subscribers: JanZerebecki, Dzahn.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 11 2015, 1:15 PM
Dzahn awarded a token.Nov 11 2015, 6:51 PM
Dzahn added a comment.Nov 11 2015, 6:57 PM

wikilovesmonuments.org is owned by Wikimedia Deutschland per whois record and hosted at Domainfactory GmbH. wikimedia.nl is registered to an invidual person in Rotterdam. As reported if you go to wikilovesmonuments.org you get *.wikimedia.nl, wikimedia.nl certs though. Confusing situation all this :) I agree it should be fixed but who (which organization) would get the cert to start with?

Elitre added a subscriber: Elitre.Nov 11 2015, 7:22 PM
JanZerebecki set Security to None.Nov 12 2015, 4:23 PM
JanZerebecki added subscribers: siebrand, Multichill.
Restricted Application added a project: Operations. · View Herald TranscriptFeb 23 2016, 6:12 PM

You can hardly call "Registrar.eu" an individual in Rotterdam or are you looking at different records than I am?

  • wikilovesmonuments.org is registered by WMDE. Why? If I recall correctly we didn't have the WMNL account info around so we used the WMDE account
  • wikimedia.nl is owned by Wikimedia Nederland
  • wikilovesmonuments.org is running on a Wikimedia Nederland server

If we want to get this fixed, we probably need something like:

  • some WMNL server admin generates a private key for wikilovesmonuments.org
  • sends the public key to WMDE
  • WMDE gets the public key signed and returns it to WMNL
  • WMNL installs the key

Not sure what the best way is to get around multiple sites and keys on the same server here.

I don't really care enough to put any effort in this, rather spend my time on other things, maybe someone else feels like doing this?

Dzahn added a comment.Feb 25 2016, 2:14 AM

I personally think it's a serious issue. Every user who goes to that site on https gets a fullscreen "wikilovesmonuments.org uses an invalid security certificate." warning that basically tells him to go away. I don't think it should be a question "if" we want that fixed, it should be that or turn of the https protocol.

Dzahn triaged this task as High priority.Mar 31 2016, 1:08 AM
Krinkle removed a subscriber: Krinkle.Mar 31 2016, 1:18 AM

Ok, so what needs to be done here? cc @Multichill

Dzahn added a comment.Apr 1 2016, 10:56 PM

@JeanFred a WMNL and a WMDE server admin need to work together to fix it

Restricted Application added a project: Traffic. · View Herald TranscriptApr 1 2016, 10:57 PM

A few weeks ago, I asked Sindy Meijer from the dutch office to take this up with the company that is now doing the admin for Wikimedia NL. Appearantly this slipped, I will ask again next week.

Restricted Application added a project: Operations. · View Herald TranscriptApr 2 2016, 7:48 PM
Dzahn added a comment.Apr 11 2016, 5:32 PM

@Akoopal great, thank you

@Akoopal Thank you! I will contact server admin.

De oplossing is:

Lemonbit maakt een zogenaamd CSR aan, een certificate request voor wikilovesmonuments.org. Dit CSR kan u opsturen naar de beheerder van wikilovesmonuments.org, zij kunnen hiermee zelf een certificaat aanvragen, en vervolgens weer opsturen naar ons om te installeren op de server. Bij de aanlevering van het certificaat zullen zij ook de bijgeleverde root en intermediate (CA) certificaten mee moeten sturen. Wij kunnen deze dan voor u installeren voor u. Mogelijk is deze optie makkelijker qua validatie proces.

Even in het Nederlands, want het is zo al lastig genoeg. Weten jullie toevallig wie hier over gaat bij Wikimedia DE? Bedankt alvast!

Quick translation:

Lemonbit will create a CSR, a certificate request, for wikilovesmonuments.org. This CSR can be send to the maintainer of wikilovesmonuments.org, they can request a certificate with that file, and send it back for installation on the server. With the certificate the root and intermediate (CA) certificates needs to be included as well.

Question from Sindy: Do you know who can handle this from Wikimedia DE.

That would work, but there is an easier solution: Use https://letsencrypt.org/ . It should be self-service for the server admin.

@JanZerebecki Via Let's Encrypt, it is not possible to have all the necessary certificates. I have contacted the Wikimedia DE. With the following solution:

Lemonbit will create a CSR, a certificate request, for wikilovesmonuments.org. This CSR can be send to the maintainer of wikilovesmonuments.org, they can request a certificate with that file, and send it back for installation on the server. With the certificate the root and intermediate (CA) certificates needs to be included as well.

A CSR will only provide one certificate.

Via Let's Encrypt, it is not possible to have all the necessary certificates.

Can you explain why you think that is the case?

Lemonbit says: We have successfully installed the certificate for www.wikilovesmonuments.org (alias wikilovesmonuments.org), SSL connections to this location no longer implement the *.wikimedia.nl wildcard, and as a consequence the security prompt no longer appears when connecting via https.

Akoopal closed this task as Resolved.Jun 2 2016, 12:28 PM
Akoopal claimed this task.

Per comment from Sindy, certificate is installed.

Dzahn added a comment.Jun 2 2016, 2:13 PM

This is great but i cant confirm yet it has been installed.

wikilovesmonuments.org uses an invalid security certificate. The certificate is only valid for the following names: *.wikimedia.nl, wikimedia.nl

https://www.ssllabs.com/ssltest/analyze.html?d=wikilovesmonuments.org&ignoreMismatch=on&latest

Dzahn reopened this task as Open.Jun 2 2016, 2:13 PM

intresting. The site fixed is www.wikilovesmonuments.org. without www it seems to just point to the default site

Dzahn added a comment.EditedJun 3 2016, 2:10 AM

You are right, it's fine with www, there it gets an A rating and looks good in my browser as well. Ideally with and without www would both be on the cert as "SANs"

https://www.ssllabs.com/ssltest/analyze.html?d=www.wikilovesmonuments.org

Dzahn added a comment.Jun 3 2016, 2:14 AM
Ideally with and without www would both be on the cert as "SANs"

and after looking closer i see this is already the case:

DNS Name: www.wikilovesmonuments.org
DNS Name: wikilovesmonuments.org

So the cert seems fine, but it would be an Apache config issue then, like adding a ServerAlias

Dzahn added a comment.Jun 3 2016, 8:14 PM

strictly the ticket is resolved because it just says to configure it for "www". but would be nice if we can get this fixed too since the cert already has both variants on it anyways.

JeanFred closed this task as Resolved.Jun 22 2016, 12:14 PM

Thanks all for this! :)

Yay! Thank you!

Please help me:

Several instances of abuse on the Wordpress installation on domain 'wikilovesmonuments.org' (server 'schippers.wikimedia.nl') were detected on August 16, 2016 around 8 PM (GMT+1).

In this case spam messages were sent using the PHPMailer component from Wordpress through requests to the following URLs, from multiple different Asian IP addresses:

The PHPMailer class/component used in these cases is included in every Wordpress installation by default.
Although this script can be used in a legitimate manner by themes or plugins, in this case we suspect that it has been abused by bypassing any input validation, possibly caused by a theme or plugin not using proper input validation in its implementation of the PHPmailer component.

To stop this script from sending spam messages we have performed the following:

  • We have blocked suspicious IP addresses (210.213.254.66 and 103.17.117.236) in the firewall.
  • We have made sure the PHPMailer component script (/var/www/wikilovesmonuments.org/public/wp-includes/class-phpmailer.php) is made unreadable nor executable until this vulnerability has been fixed by the webmaster.

To prevent any similar abuse in the future we do recommend the following:

  • Make sure all used themes and plugins used in the Wordpress installation are up-to-date, to prevent any known security issues in outdated versions,
  • Investigate which component/theme/plugin in the Wordpress installation is responsible for processing the URLs mentioned above,
  • Remove or replace the Wordpress plugin (or implementation) that is responsible for processing the URLs mentioned above.

Please inform us with the steps taken to prevent this abuse on this Wordpress installation.

Thank you!

Sindy Meijer
Wikimedia Nederland

Dzahn added a comment.Aug 30 2016, 3:05 PM

@SindyM3 I think this should probably have a new ticket. Do you know who is admin of schippers.wikimedia.nl ?

@SindyM3 I think this should probably have a new ticket. Do you know who is admin of schippers.wikimedia.nl ?

This is being handled using a different medium.

Dzahn added a comment.Aug 30 2016, 6:11 PM

ok, cool. thanks @Multichill

SindyM3 added a comment.EditedAug 31 2016, 8:05 AM

@SindyM3 I think this should probably have a new ticket. Do you know who is admin of schippers.wikimedia.nl ?

This is being handled using a different medium.

@Multichill Can you tell me where I can find it? Thanks

@Dzahn I'm sorry for not creating a new ticket. The admin of schippers.wikimedia.nl is Lemonbit and the send me this email. So I'm looking for the person how is in charge off Wordpress installation.

Dzahn added a comment.Aug 31 2016, 2:13 PM

@SindyM3 No problem. I don't know who is in charge off that, but WMNL people would know. When looking at https://www.wikimedia.nl/blog i see a small link in the footer to http://www.twokings.nl/ that looks like a webdesign company. ("Ontwerp en bouw website: Two Kings"). so maybe it's them.

@Dzahn WMNL people don't know because I am one of them :(

@SindyM3: it's your server that's being exploited and its maintained by a third party that you pay to keep you safe. It's probably time to start being a bit more pushy in their direction.

@siebrand I will send a mail about this, but imho lemonbit has done the correct steps.